Defense Minister AK Antony has finally made a statement on the recent cyber espionage events reported in “Shadows in the Cloud“. Please do read the response – “Hacking of Security Information“, it won’t take a lot of time. It it is a relief to actually see someone actually asking the questions at the right level and the questions are being answered. Now let us take a look at the answer (emphasis added).

certain internet facing computers were compromised by the hackers which had no sensitive defence data

While it is reassuring that the Minister thinks no sensitive data was leaked, something doesn’t add up. The report states:

“Although there is public information available on these military projects, it indicates that the attackers managed to compromise the right set of individuals that may have knowledge of these systems that is not publicly known. We recovered documents and presentations relating to the following projects:

We also found that documents relating to network centricity (SP’s Land Forces 2008) and network-centric warfare had been exfiltrated, along with documents detailing plans for intelligence fusion and technologies for monitoring and analysing network data (Defence Research and Development Organisation 2009).

That is of course just the “defence” bit. It is hard to believe that all those information on the missile systems and warfare strategy are public knowledge. Now to approach the “sensitive” non defence part of the report’s content:

We recovered one document that appears to be an encrypted diplomatic correspondence, two documents classified as “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These documents contain sensitive information taken from a member of the National Security Council Secretariat concerning secret assessments of India’s security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and Maoists. In addition, they contain confidential information taken from Indian embassies regarding India’s international relations with and assessments of activities in West Africa, Russia/Commonwealth of Independent States and the Middle East, as well as visa applications, passport office circulars and diplomatic correspondence. The attackers also exfiltrated detailed personal information regarding a member of the Directorate General of Military Intelligence.

It is indeed true that none of these are defence data but it sure looks sensitive.

So, either all these exfiltrated information was public knowledge (highly unlikely) or India doesn’t consider any of these (including the missile programme details) as “sensitive defence data” or the report is wrong or of course the Minister has not been properly informed.

Pick your poison, I guess.

Services Headquarters have an information security policy and their networks are audited as per the guidelines.

The recent Times of India article, on how Indian Army is increasing its network and system defences to “highest standard”, is interesting in that it does not say anything much at all, except the nugget of information that they perform “cyber audit process” “in accordance with established security standards such as ISO 27001”. Let us come back to the 27001 audit process later and examine the rest of the article first.

Any article that has utterances like “impenetrable” and “unhackable” automatically raises a red flag in my paranoid brain. Networks are “impenetratable” and password are “unhackable” until they are not. One would expect and associate such frivolous words from the marketing department of a software company (no disrespect to Oracle), not from the Indian Army.

The mention about Computer Emergency Response Team (CERT) is confusing. Is this CERT the same as CERT-In? As far as I know CERT-In does not have a mandate over military and Critical National Infrastructure (CNI). Let not the wording “to respond to attacks” fool you into thinking that anything beyond log analysis, root cause analysis and associated steps are taken as a part of this response. Nothing in the literature and off the record conversations have shown any hints that the army is involved in anything more than passive defense when it comes to cyber security.

Now, to the juicy bit. The article states:

Another official said the army has its own cyber audit process conducted by cyber security personnel.

“The audit is conducted in accordance with established security standards such as ISO 27001. Audit of the network is a continuous and active process which helps identification and mitigation of vulnerabilities in a network to counter latest threats as also check the network for cyber security policy compliance,” he said.

Don’t get me wrong, it is heartening to see that the army is following audit processes to bolster its network and system defense and they should be commended for it. But the use of ISO 27001 just does not cut it for a military institution.

ISO 27001 is a set of audit requirements for information security management systems. There are about 10 areas requiring compliance audit, starting with institution-wide issues (Security Policy, Organization of Information Security) and eventually drilling into more operational areas (Access control, Acquisition/Development/Maintenance etc.). At the highest level, as per the audit requirements, an institution is required to establish an Information Security Management program that involves the setting up of an Information Security organization which crafts and drives InfoSec policies in the institution. 27001 then audits the subsequent sections against these policies.

As it pertains to the the claim that 27001 would make the army resilient to cyber attacks, three important points need to be kept in mid:

First, and most obvious, is that the efficacy of the standards established by the ISM organization themselves are not evaluated. So, while an entity may “pass” a 27001 audit, it speaks little, if any, of how strong or otherwise the organization’s information security practices are.

27001 is designed for corporations that desire international certification. It is not geared for the defense establishments. The US DoD, for example, is audited by multiple agencies which more or less follow baseline standards set out by Defense Information Assurance Certification and Accreditation Process (DIACAP) and highlighted in DoD Audit Manual. Standards for information security in US DoD have gradually evolved from the earlier Bell-Lapadula model and the dozen others to the hybrids that are now in place. Again, 27001 does not even come into picture.

27001 certifications are essentially policy reviews. They do not get into network/hardware/software hardening. For example there are zero penetration tests performed as part of the 27001. A 27001 certification will not give reasonable assurance to Indian Army or MoD that its infrastructure is hardened and can deter reasonably sophisticated attacks.

So while it good to know that audits are being conducted and that the system “emphasises on the people and the process”, let us not kid ourselves that mismatched ISO processes like 27001 will make the system and the networks any more secure. What we do risk is becoming complacent based on the misplaced sense of security and assurance given by these audit processes.